Security overview

This topic presents a security overview for CyberArk Secrets Manager Credential Providers.

Secrets Manager Credential Providers product overview

Secrets Manager Credential Providers enable organizations to protect data residing in business systems by eliminating hard-coded credentials from application source code, scripts, and configuration files. Using this solution, applications can securely store and retrieve credentials, thereby reducing the risk of unauthorized use.

Credential Providers utilize CyberArk Privileged Access Management (PAM) solutions for securing, storing, and rotating privileged application credentials.

Credential Providers use a secure local cache. The local cache enables high-performance password requests and high availability, as well as in the case of a network outage to PAM - Self-Hosted.

Credential Providers deliver a comprehensive solution for managing application passwords. This solution:

Eliminates the need for hard-coded passwords	Organizations can remove static credentials from scripts, application source code, and configuration files, leaving the developer unaware of the secret’s value.
Securely stores and rotates application credentials	CyberArk PAM - Self-Hosted stores and rotates application credentials and provides numerous underlying security capabilities such as authentication, encryption, and data protection. Application passwords can be automatically rotated based on policy, without impacting the application performance and without the need for downtime.
Authenticates applications	Credential Providers use advanced methods of identification for authenticating applications requesting credentials based on application and machine characteristics.
Provides audits	Credential Providers provide audit logs, allowing for monitoring of password request activities.
Secures local cache for storing credentials	Credential Providers use a secure local cache designed to allow high availability and performance, as well as resilience to network disruptions.
Supports multiple platforms	Credential Providers provide a flexible solution designed to support large enterprise environments in which various platforms are being used.

Secrets Manager Central Credential Provider product overview

Applications that require credentials to access a remote device or to run another application remotely can request the relevant credentials from the Central Credential Provider using the REST or SOAP APIs.

The Central Credential Provider consists of the Credential Provider for Windows which is installed on an Internet Information Service (IIS) server, and the Central Credential Provider web service which is used by calling scripts/applications to retrieve credentials during runtime. The solution:

Eliminates the need for hard-coded passwords	Organizations can remove static credentials from scripts, application source code, and configuration files while residing on remote machines.
Authenticates applications	The Central Credential Provider uses advanced means to authenticate applications requesting credentials based on varying operating system and application characteristics.
Serves applications on remote machines	The Central Credential Provider runs as a web service that is used by applications residing on remote machines.
Provides audits and activity information	In addition to the Credentials Providers audit logs, the Central Credential Provider maintains usage data.

Assumptions

Credential Providers

It is the customer’s responsibility to adopt and apply industry-standard organizational security measures to define and protect its privileged and non-privileged users. This includes, among other measures, making sure to follow the least-privilege principle when defining privileged and non-privileged users, including users that deploy and run Credential Providers, and users that are being used to run the applications, and ensuring that they are segregated and their credentials are stored securely.

Customers should only allow an administrator with the highest privilege level to deploy and run the Credential Providers.

A general underlying assumption is that the customer’s administrator is not careless, willfully negligent or hostile, and that they administer Credential Providers in compliance with the Credential Providers documentation and with the customer’s internal security policies.

Once a Credential Provider is running, it authenticates the requesting applications, validating the access to secrets stored in the Vault / Privilege Cloud based on user-defined policy. It is the customer’s responsibility to follow the security best practices when defining application authentication policies.

Central Credential Provider

The Central Credential Provider is open to the Internet and is therefore inherently susceptible to a variety of attack vectors. The Central Credential Provider is installed on an Internet Information Service (IIS) server which can provide multiple security mechanisms if configured appropriately. The Central Credential Provider does not configure the IIS. It is the customer’s responsibility to configure its IIS to define and maximize its security capabilities.

The Central Credential Provider runs using the IIS user. The Central Credential Provider functions under the assumption that IIS users are protected and secured. A compromised IIS user may have a critical impact on the Central Credential Provider and the machine. It is the customer’s responsibility to apply appropriate measures to protect these users.

The Central Credential Provider performs authentication on calling applications based on the customer’s authentication method configuration. It is the customer’s responsibility to configure and define its authentication methods.

It is the customer’s responsibility to adopt and apply industry-standard organizational security measures to define and protect the users on the remote machines that are using the Central Credential Provider.

Any user that successfully passed all IIS validations and the Central Credential Provider’s authentications is regarded as valid.

Security best practices

Credential Providers best practice

• Privileged users on the Credential Provider server, and non-privileged users that use the Credential Provider should be accessed through Privileged Session Manager (PSM). PSM adds an additional layer of protection by limiting access to the machine and by monitoring and recording the session.

  In supported platforms, use Endpoint Privilege Manager (EPM) to enhance the security on the Credential Provider server. EPM provides privilege management, application control, and threat protection.

  

• Defining application authentication appropriately is fundamental:

  • We strongly recommend using multiple application authentication methods to enhance the robustness of an application’s authentication. Among the authentication methods used, we recommend including at least one of the following: OS User or Allowed Machines.

  • Specifically for applications that are located on the same machine as the Credential Provider and work with it, we recommend always including OS User or Allowed Machines authentication when defining authentication for the applications. For more information, see Application authentication methods.

Central Credential Provider best practices

CyberArk highly recommends that customers follow the guidelines and best practices below:

• Follow the security guidelines and best practices for the Credentials Providers.

• Ensure that the Central Credential Provider and its dedicated Credential Provider, and the IIS are always up-to-date and running on the latest version.

• Defining application authentication appropriately is fundamental:

  • Use at least one application authentication method: OS User, Allowed Machines, or Client Certificate. Enhance the robustness of the authentication by combining multiple application authentication methods.

  • Use all application authentication methods for the Central Credential Provider application (by default, AIMWebService).

  For details, see Define the Central Credential Provider web service.